Most traditional DVR vendors answer the PCI question with the simple response “The DVR doesn’t process credit card transactions; therefore it does not have to be PCI compliant”. Unfortunately, this response ignores the fact that any DVR that is Internet accessible is a serious risk to the merchant’s PCI compliance, unless it meets the PCI-DSS standards. Why? Because if the DVR isn’t secure, a “bad guy” could potentially gain un-authorized access and then use it as a platform to steal card holder information.
If you hear the above response from your DVR vendor, walk away from them, as quickly as you can!
Do end users really care about this? Well, here are a series of concerns from one enlightened end user with over 500 locations (quick service):
However, they [DVR] must meet the PCI standards for a networked device since it would reside on the same network as our back office system and POS systems:
- Some sort of Firewall should be present on the DVR. Need to show that the DVRs are being properly managed as far as timely installation of security patches and port management. A sampling of the DVRs would need to be included in annual penetration tests.
- The DVRs should be able to provide an audit trail of access to the device.
- Documentation would need to be provided to our auditors when we have these annual PCI audits showing how security on the DVR is managed and monitored.
- If [Service Provider] utilizes a central server to record the data from our stores, meaning they have connectivity to our store network, then the data center where that server is located must meet PCI standards.
These are just a few of the concerns…in short, PCI-DSS certification is quickly become a mandatory requirement.
Not convinced yet, next week I’ll share an RFP for 6000 stores that talks about PCI … have a great Memorial Day.